Patch management

In our test of SecurityProfiling’s SysUpdate 4.1.4 with its new Policy Compliance and Enforcement Module 1.0, we found that while the product is moving in the right direction toward policy-based patch management, it’s still a little rough around the edges.

Patch management products are growing up. While previously limited to pushing out patches to vulnerable Windows machines, products are branching out to other systems and letting users set how, when and why fixes need to be applied.

In our test of SecurityProfiling’s  SysUpdate 4.1.4 with its new Policy Compliance and Enforcement Module 1.0, we found that while the product is moving in the right direction toward policy-based patch management, it’s still a little rough around the edges. Console reliability and administrative detail are lacking.

Archive of Network World reviews

Subscribe to the Product Review newsletter

SysUpdate provides policy patch management for Windows, Linux and some Unix operating systems , identifies the system’s configuration and checks it against the defined policy. Any discrepancies can be corrected immediately or queued pending administrator approval.

The best SysUpdate feature we tested is its concept of Multiple Path Remediation (MPR). It gives administrators choices regarding how best to mitigate the risk for some vulnerabilities – install patches, disable services or modify some other configuration option. In our testing, Windows systems were vulnerable to the latest remote procedure call and Windows Messenger Service attacks. Using MPR, we could install the patch or disable the service. MPR is available only for Windows XP and 2000 with NT and Unix support on the way.

SysUpdate has three parts. SysUpdate Server runs on a Windows system and serves as the central repository for patches and policies. Each monitored machine runs SysUpdate agent software that gathers information – such as file versions and MD5 algorithm hashes – and pushes it to the SysUpdate Server where a logic engine analyzes this data to determine what patches are missing.

SysUpdate Console is a Microsoft Management Console Snap-In that can runs on any Windows system. We had problems with the console closing on us after loading a policy or running a report. SecurityProfiling engineers attributed this condition to network congestion severing the client communication with the server. But our traffic was light, and this issue arose even while running the console directly on the SysUpdate Server.

The agents automatically are polled at predetermined times and configured as part of the group policy on the server. Administrators also can manually poll systems for updated information from the management console.

This release of SysUpdate does not ship with an automatic agent deployment mechanism. SecurityProfiling has developed a deployment program, which should be included in the next release, but currently is only available upon request.

Another bump in the testing was that operating system identification was not always accurate. One of our Win 2000 Server systems was identified as running Win 2000 Professional.

We had one of our registered Windows agents disappear from the SysUpdate system. To re-register the system, we had to manually uninstall the agent and then re-install. After agent installation (which requires a reboot), the system will report to the central server.

When identifying patch policies, administrators select which programs to support, including operating system, Microsoft Virtual Machine, SQL Server and a long list of other supported applications . For Windows systems, select what your mandatory service pack baseline is and work from there. The SysUpdate server then downloads the necessary packages (called a core update) from the central patch repository. You are limited in what you can do in SysUpdate while a core update is in progress. For example, we couldn’t schedule a deployment.

The patch-reporting process within SysUpdate Server – which dictates how missing patch information is calculated and displayed in the console – could use some improvement. If a system did not have the baseline service pack installed (SP4 for our testing), you only received notice about that missing service pack. You aren’t notified of what additional patches are missing until the service pack gets installed. We would have preferred to see a laundry list of things that need to be fixed as opposed to receiving them piecemeal.

SysUpdate can define configuration profiles. Before using the profiles, you must first define a security template. This process is not as clear as it could be. At least one default security template should be enabled on initial install. Every time we tried to view a configuration policy (without having a template defined), the console would hang and eventually crash trying to load the list.

SysUpdate includes a nice security risk graphing system for the groups you configure that shows the risk level based on how far off the systems are from the defined policy. We would like to see the ability to drill-down to individual system information from this screen.

SysUpdate ships Crystal Reports, but we often encountered the same console crashing issue if we tried to generate a report on a remote console. We successfully generated reports with the console running directly on the SysUpdate server.

Overall, SysUpdate offers some excellent ideas on how to approach vulnerability management based on policy, but it needs a bit of polish before it will be really useful in an enterprise deployment.